Joint Notice of Privacy Practices

THIS JOINT NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

EFFECTIVE DATE: AUGUST 15, 2016

Who Must Follow This Notice

This Joint Notice of Privacy Practices (Notice) must be followed by all faculty, providers, nurses, administrators, employees and other workforce members, and business associates of The University of Texas MD Anderson Cancer Center (MD Anderson) and the Proton Therapy Center Houston (PTC).

This Notice applies to every patient’s personal medical information, or “protected health information,” with respect to MD Anderson and the PTC.

Protected health information (PHI) is a term used to describe your personal medical information and includes any information, whether oral, written or recorded in electronic form, that is created or received by us as health care providers, and that identifies you and relates to your past, present or future physical or mental health, or condition, treatment or payment for your health care.

From this point on, we will refer to your protected health information as PHI.

The Purpose of this Notice

This Notice tells you about the uses and disclosures that we make with your PHI, certain rights that you have, and obligations that we are bound to with respect to such information. We care about the privacy and confidentiality of your PHI. We have developed policies, created procedures and taken other steps to help keep your PHI confidential. This Notice gives a summary of those steps, explains your privacy rights, and shares phone numbers and addresses you can use to ask questions or make requests.

We are required by law to:

Maintain the privacy of your PHI.

Give you this Notice of our legal duties and privacy practices with respect to your PHI.

Notify you in the event of a breach of your PHI.

We follow the terms of this Notice as long as it is in effect. If we revise this Notice, we will make the revised Notice available to you upon request and will follow the terms of the revised Notice as long as it is in effect. This Notice is maintained on our website and in certain locations or sites where treatment, payment and health care operations activities may occur.

This Notice applies to PHI created, maintained, used or disclosed in records related to the care and services that you receive at MD Anderson or the PTC.

We maintain your PHI in records that are kept confidential, as required by law. However, we must use and disclose your PHI to the extent necessary to provide you with quality health care. To do this, MD Anderson and the PTC must share your PHI with each other, as necessary, and with others, as appropriate, for treatment, payment and health care operations.

We May Use and Disclose Your PHI Electronically

We use an electronic health record system to manage your medical information. We may create, receive, maintain and disclose your PHI in electronic format.

We may communicate with you through email, text messages, phone calls and the secure myMDAnderson.org patient portal. Communications within myMDAnderson.org are secure. Emails, text messages or other electronic communications outside of myMDAnderson.org may not be encrypted or secure, and could be read or otherwise accessed by another person or organization. We will assume that you understand these risks if you initiate electronic communication with us outside of myMDAnderson.org or agree to receive communications from us in a non-secure format.

We May Use and Disclose Your PHI for Treatment

We may use and disclose your PHI to provide you with health care treatment or services. Treatment includes sharing PHI among health care providers involved in your care, both inside and outside of MD Anderson and the PTC. For example, your health care provider may share information about your condition with pharmacists to discuss appropriate medications, or with radiologists or other consultants to make a diagnosis. Different departments within our facilities may also share your PHI to coordinate such things as prescriptions, dietary needs, physical therapy, social work, psychiatric support, lab work and diagnostic imaging.

Appointment Reminders and Routine Instructions: We may contact you to provide appointment reminders through myMDAnderson.org, text message, phone, email or mail. We may send automated texts or phone calls to contact you for certain routine purposes (for example, appointment reminders, pre-registration instructions, pre-operative instructions, lab results, post-discharge follow up, prescription instructions and other treatment-related instructions). By giving us your phone number or email address, we presume that you have consented to be contacted at that number or address.

Health Information Exchanges: We participate in electronic Health Information Exchanges (HIEs). HIEs allow your participating health care providers to electronically share certain information from your health records. For example, if you go to a hospital emergency room, that hospital may be able to access parts of your MD Anderson electronic health record so it can treat you more safely and efficiently. We will allow your health records to be seen by other participating providers unless you inform us that you do not want other participating providers to see your health records.

Outside Health Care Providers: We may communicate with your referring and follow-up providers and with post-acute care facilities to which you may be transferred, keeping them informed about your care. This communication may be accomplished by using a secure electronic portal.

Sensitive Information: Your health record may contain information about your HIV status, sexually transmitted diseases, mental health, genetic makeup and/or substance abuse treatment. We may need to share this information with your other treating providers so they can treat you safely and effectively. When required by law, we will ask for your written permission before sharing this information with your other treating providers.

Treatment Alternatives: We may contact you with information about treatment alternatives or other health-related benefits or services that may be of interest to you.

We May Use and Disclose Your PHI for Payment

We may use and disclose your PHI as requested by your health plan, insurer or other third-party payor, to obtain payment for treatments or services we provided to you. We may also tell your health plan, insurer or other third-party payor about a treatment or service to obtain prior approval or to determine whether your health plan, insurer or other third-party payor will cover the treatment or service.

We May Use and Disclose your PHI for Health Care Operations

We may use and disclose your PHI for health care operations. These include:

Case Management and Care Coordination: We may use and disclose your PHI for case management and care coordination in an effort to improve the effectiveness and efficiency of care delivered by us.

Customer Service and Data Analysis: We may use and disclose your PHI to review and help improve our patient satisfaction and customer service levels, and for internal data analyses.

Fundraising: We may use and disclose limited portions of your PHI for our fundraising activities. This information includes your name, address, contact information, age, gender, insurance status, dates of service at MD Anderson or the PTC, treating physicians and departments, and outcome information. This information allows us to be more specific with our fundraising efforts. You may opt out of fundraising communications by requesting to be removed from our fundraising database. Instructions on how to stop receiving future fundraising communications will be included on each fundraising solicitation.

myMDAnderson.org: MD Anderson provides patients with myMDAnderson.org, a secure online patient portal, to view health records and appointments, communicate with health care providers, and provide information about services available in Houston and surrounding areas. We use information from your health record, including your demographic information, to provide this service.

Quality Improvement and Review of Resources and Staff: We may use and disclose your PHI to improve the quality of care we provide (for example, for conducting quality assessments, reviewing the qualifications and competence of our medical staff, and selecting, educating, and training our employees and staff).

Security: We may use or disclose your PHI to provide security at MD Anderson facilities. For example, we use security cameras and share limited PHI with University of Texas police officers as necessary for security purposes.

Social Media: MD Anderson participates in a number of online public social media sites. If you or others choose to share your health information on our online social media sites, this information is considered to be public and not protected by privacy laws, and may be re-posted or shared by MD Anderson or others. If you do not want your health information to be public, you should not share it on online public social media sites.

We May Disclose Your PHI to Our Business Associates

We may disclose your PHI to certain other persons or companies with whom we contract to provide services on our behalf. These persons or companies are called “business associates”. Our business associates are required to appropriately safeguard the PHI of our patients.

We May Use and Disclose Your PHI for Directory Purposes, for Notification Purposes and to Individuals Involved in Your Care

If you do not object, we may use and disclose your PHI for directory purposes, for notification purposes and to individuals involved in your care.

Certain Directory Information: If you do not object, we may disclose your location and your general condition to people who ask about you by name. We may also share your name and religious affiliation with members of the clergy, even if they do not ask for you by name.

Disaster Relief: If you do not object, we may disclose your PHI to a public or private entity authorized by law, such as the American Red Cross, for the purpose of coordinating with such public or private entity to assist in disaster relief efforts related to you.

Family, Close Personal Friends and Representatives Involved in Your Care: If you do not object, we may disclose relevant PHI to any support person involved in your care or payment for your care, including family members, friends, or anyone else you indicate is involved in your care. We may also notify your family members, personal representatives, or others responsible for your care about your location and general condition, or in the unfortunate event of your death.

We May Use and Disclose Your PHI Without Your Written Authorization as Required or Permitted by Law

We may use and disclose your PHI without your written Authorization as required or permitted by law. For example:

Public Health/Health Oversight Activities: We may use and disclose your PHI for public health activities, including for reporting disease, injury and/or vital events, and for conducting public health surveillance, investigation and/or intervention. We may disclose your PHI to a health oversight agency for oversight activities authorized by law, including for audits, investigations, inspections, licensure or disciplinary actions, and administrative and/or legal proceedings or actions.

Disclosure to the Secretary of the U.S. Department of Health and Human Services: We may disclose your PHI when required by the Secretary of the U.S. Department of Health and Human Services as part of an investigation or a determination of our compliance with relevant laws.

Abuse or Neglect: In accordance with federal and state law, we may disclose your PHI when it concerns abuse, neglect or domestic violence to you, such as reporting to social welfare, law enforcement or protective service agencies. Except in certain limited situations, we must promptly inform you that a report of abuse, neglect or domestic violence has been or will be made.

Judicial or Administrative Proceedings: We may use and disclose your PHI in the course of lawful judicial or administrative proceedings, in accordance with a court order, warrant, subpoena, discovery request or other legal process that complies with privacy and confidentiality requirements.

Law Enforcement: We may disclose your PHI to law enforcement personnel for certain law enforcement purposes. Examples include disclosing limited information to identify or locate a suspect, fugitive, material witness or missing person; to report crimes in emergencies; to report deaths or certain violent injuries; and to meet other mandatory reporting requirements.

Specialized Government Functions: We may disclose your PHI for specialized governmental functions, such as military and veterans’ activities, national security, intelligence activities, and for the provision of protective services to the President of the United States and other officials. We may also disclose your PHI for correctional institution and other law enforcement custodial purposes.

Coroners, Medical Examiners and Funeral Directors: We may disclose your PHI to a coroner, medical examiner or funeral director, as necessary for them to fulfill their duties.

Organ, Eye and Tissue Donation: If you are an organ, eye or tissue donor, we may disclose your PHI to an organ donation and procurement organization.

Research: An important part of our mission is research. We conduct many research studies, some of which involve genetic information. We may store your PHI in electronic data warehouses to be used for research purposes. Our researchers may use your PHI to prepare research protocols or identify potential study participants. Additionally, our researchers may use and disclose your PHI for research once the research protocol has been reviewed and approved by an Institutional Review Board (IRB). An IRB is a committee responsible for protecting individual research participants and ensuring that research is conducted ethically. Some research studies require your consent (for example, studies in which participants receive experimental drugs or therapies), but other research studies may use and disclose your PHI without your consent if an IRB gives the researchers permission to use and disclose your PHI for research. We may disclose your PHI to outside collaborators and sponsors, if you or an IRB approve the disclosure.

Public Safety: We may use and disclose your PHI when we determine that it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Workers’ Compensation: We may disclose your PHI to workers’ compensation programs or similar programs established by law to provide benefits for work-related injuries or illnesses.

We May Use and Disclosure Your PHI with Your Permission (Authorization)

The use or disclosure of your PHI for purposes or activities not listed above or otherwise permitted by law will be made only with your written permission, called an “Authorization”. If you permit us to use and disclose your PHI, you may revoke (cancel) that permission, in writing, at any time. If you revoke your permission, we will no longer use and disclose your PHI for the reasons covered by your written permission. However, we are unable to take back any disclosures we have already made with your permission. If your PHI is disclosed to a third party with your permission, that PHI is no longer subject to this Notice, and the recipient may re-disclose your PHI if the recipient is not subject to federal privacy laws.

Use or Disclosure of Psychotherapy Notes: Most uses and disclosures of your psychotherapy notes require your written Authorization. Psychotherapy notes are notes taken by a mental health professional, such as a psychiatrist or a clinical psychologist, during a private counseling session. Psychotherapy notes are not notes or observations made about your mental state during your course of treatment by a provider or practitioner who is not a mental health professional.

Use or Disclosure of Your PHI for Marketing: We will not use and disclose your PHI for marketing purposes without your written Authorization. Marketing does not include refill reminders; appointment reminders; communications for purposes of case management or care coordination; recommendations for alternative treatments, therapies, care providers or care settings; or descriptions about health-related products and services we offer.

Sale of Your PHI: We may not sell your PHI without your Authorization. However, when we disclose your PHI for any purpose permitted or required by law (such as for treatment, payment or health care operations), we may charge the requestor a reasonable, cost-based fee to cover the cost of preparing and transmitting your PHI. For example, we may charge the requestor a reasonable, cost-based fee when disclosing your PHI for public health purposes, research purposes, treatment purposes or payment purposes. We may also charge you a reasonable, cost-based fee when you request copies of your health and billing records.

Your Rights Regarding Your PHI

You have the following rights regarding your PHI, provided that you make a written request to invoke these rights on the forms provided by us.

Your Right to Request Restrictions: You have the right to request a restriction or limitation on our use or disclosure of your PHI for treatment, payment or health care operations. You also have the right to request a restriction or limitation on our disclosure of your PHI to someone who is participating in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not use and disclose information about a particular surgery that you have had. You may not request restriction of a disclosure that is required by law.We will attempt to accommodate all reasonable restriction requests, but we are not obligated to agree to a restriction (except as noted in this paragraph), and in certain circumstances we may not be able to comply. We are required to comply with your request that we not disclose certain PHI to a health plan, insurer or other third-party payor for payment or health care operations purposes if the PHI relates solely to treatment or services that have been fully paid out-of-pocket.To request a restriction, you must make your request in writing to the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407, or by email at PrivacyCompliance@mdanderson.org. In your request, you must tell us: (1) what information you want to limit; (2) whether you want to limit our use or disclosure of the information (or both use and disclosure); and (3) to whom you want the limits to apply (for example, disclosures to your spouse).

Your Right to Request Alternate Communication Methods or Locations: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you by phone at work, or that we only contact you by mail at home or an alternative address. To request such alternative methods or locations, you must make your request in writing to the Chief Privacy Officer at The Universityof Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407, or by email at PrivacyCompliance@mdanderson.org. We will not ask you the reason for your request. We will attempt to accommodate all reasonable requests, but we may condition our approval, when appropriate, upon receiving information as to how payment, if any, for your care will be handled. Your request must also specify how or where you wish to be contacted.

Your Right to Inspect and Copy: You have the right to inspect and copy PHI that may be used to make decisions about your care. Usually, this PHI includes health and billing records, and excludes psychotherapy notes. To inspect and copy PHI that may be used to make decisions about your care, you may submit your request in writing to The University of Texas MD Anderson Cancer Center, 7007 Bertner Ave., Unit 1632, Houston, TX, 77030, Attention: Release of Information; or by calling 713-792-6710. If you request a copy of this PHI, we may charge you for certain reasonable costs associated with your request (copying and mailing or other delivery method). We will take action on your request within 15 days of receiving your written request. In certain very limited circumstances, we may deny your request to inspect and copy this PHI. In most cases, when you are denied access to this PHI, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Your Right to Request Amendment: If you feel that the information in your health and billing records is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for MD Anderson or the PTC. You may submit your request in writing to The University of Texas MD Anderson Cancer Center, 7007 Bertner Ave., Unit 1632, Houston, TX, 77030, Attention: Health Information Management; or by calling 713-792-6710. In addition, you must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: (1) was not created by us, unless you provide us with information showing that the person or entity that created the information is no longer available to make the amendment; (2) is not part of the health, billing or other designated record sets kept by or for MD Anderson or the PTC; (3) is not part of the information that you would be permitted to inspect and copy; or (4) is accurate and complete. We will act upon your request for an amendment within 60 days of our receipt of your written request.

Your Right to an Accounting of Disclosures: You have the right to receive an accounting, or list, of certain disclosures made by us regarding your PHI, including disclosures made to or by our business associates. The accounting of disclosures will include: (1) the date of each disclosure; (2) the name of the entity or person who received your PHI and, if known, the address; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of the disclosure. However, this list will not include, for example, disclosures made to carry out treatment, payment or health care operations, nor will it include disclosures made pursuant to a valid Authorization. To request this list, you may submit your request in writing to The University of Texas MD Anderson Cancer Center, 7007 Bertner Ave., Unit 1632, Houston, TX, 77030, Attention: Release of Information; or by calling 713-792-6710. Your request should state a time period that may not be longer than six years prior to your request. The first list you request within a 12-month period will be free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time and before any costs are incurred. We will act upon your request for accounting within 60 days after we receive your written request.

Your Right to Revoke Your Authorization: You have the right to revoke your Authorization at any time, by sending a written request to the Chief Privacy Officer, MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407; or by email at PrivacyCompliance@mdanderson.org.

Your Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. To obtain a paper copy of this Notice, contact the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407; or by email at PrivacyCompliance@mdanderson.org. You may also view this Notice on our website at http://www.mdanderson.org/npp.

We Are Required to Notify You If Your PHI is Breached

A breach is an unpermitted use or disclosure of PHI in which there is more than a low probability that such PHI has been compromised. We will notify you in the event of a breach of your PHI. If you agree, we may notify you of a breach via email.

Submitting Privacy Complaints

If you believe your privacy rights have been violated, you may file a complaint with us by calling the Privacy Hotline at 1-888-337-7497 or MD Anderson’s Institutional Compliance Office at 713-745-6636, or by contacting the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407; or by email at PrivacyCompliance@mdanderson.org.

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services by contacting the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), and submitting the complaint in writing (whether paper or electronically, by mail, fax, or email at OCRMail@hhs.gov). You may also request additional information about how to file a complaint with the OCR online at http://www.hhs.gov/ocr/privacy/hipaa/complaints/, by email at OCRMail@hhs.gov or by phone at 1-800-368-1019. You have 180 days from the date you found out about the privacy incident to file your complaint with the OCR. The OCR may extend the 180-day period if you can show “good cause”.

Anyone can file a complaint, and you will not be penalized or retaliated against in any way for filing a complaint.

We May Make Changes to This Notice

We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice in MD Anderson and PTC facilities, as well as on our website. The Notice will include the effective date. In addition, the updated Notice will be given to each new patient, and is available to all returning patients upon request.

Should you have any questions...

Should you have any questions about the contents of this Notice, please contact the Chief Privacy Officer at The University of Texas MD Anderson Cancer Center, Institutional Compliance Office, Unit 1640, PO Box 301407, Houston, TX, 77230-1407; by email at PrivacyCompliance@mdanderson.org; through MD Anderson’s Institutional Compliance Office at 713-745-6636; or through the Privacy Hotline at 1-888-337-7497.

Effective Dates: Our Notice of Privacy Practices was originally issued on April 14, 2003. Since that time, the Notice has been revised on December 1, 2006, August 21, 2013, and August 15, 2016.